Your Personal Data is collected, stored and used in order to respond to your insurance related inquiries and to provide you with insurance cover. The aim of this Privacy Notice (“Notice”) is to explain you what kind of your Personal Data is processed by dhig GmbH (in cases when it is actually a controller of your Personal Data – please see more details in the part “Controllers of your Personal Data”) and the Insurer (hereinafter dhig GmbH and the Insurer collectively may be referred to as the “Controllers”, and each separately may be referred to as the “Controller”), why it is processed, as well as to inform you on your rights related thereto.
This Notice explains the most important aspects of processing your Personal Data by dhig GmbH and the Insurer. For more detailed information on this please see the Privacy Policies of dhig GmbH (to be found at https://dhig.net) / the Insurer (as indicated further in this Notice) or contact them. Contact details are indicated further in this Notice, insurance Policy and/or Certificate.
Controllers of your Personal Data
In terms of this Notice a “controller” of Personal Data is a person determining the purposes and means of processing of this data; and a “processor” of Personal Data is a person, which processes this data on behalf of the Controller. The Controller bears primary responsibility for processing of Personal Data.
The Controllers of your Personal Data are:
- dhig GmbH – dhig GmbH is the Controller only of such your Personal Data, that was disclosed to dhig GmbH (if any) for the purpose of mediating regarding your insurance cover (i.e. when you or another person wishing to insure you (e.g. your employer) applies to dhig GmbH regarding its distributed insurance products, dhig GmbH will be the Controller in respect of your Personal Data as shared with it (if any) for processing the application for insurance, Underwriting, providing a proposal for insurance cover and arranging execution of respective Insurance Contract / reinsurance of your insurance cover).
Please note the following:
- not all insurance products as distributed by dhig GmbH require processing of your Personal Data in the mediation stage (i.e. before a respective Insurance Contract / its amendment / prolongation and etc. is entered into), and therefore dhig GmbH shall not be the Controller in all cases;
- dhig GmbH is the processor of your Personal Data, (for instance) when it is authorized by the Insurer to handle your insurance Claims and/or (as the case may be) to execute /implement / administer the Insurance Contract concluded for your benefit;
- in all its capacities (i.e. as the Controller and as the processor), when processing any Personal Data, dhig GmbH is subject to the Regulation (EU) 2016/679 of the European parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”).
Should you wish to know the exact role of dhig GmbH in processing of your Personal Data, please do not hesitate to contact dhig GmbH per e-mail as foreseen herein.
- the Insurer – the insurance entity, which carries risk of your insurance cover. The identity and details of the Insurer are indicated in your insurance Policy and Certificate. The Insurer is the Controller in all cases of processing of your Personal Data related to your insurance cover (i.e. as necessary for processing the applications for insurance cover, Underwriting, proposing terms and conditions for insurance cover, executing and implementing respective Insurance Contracts, handling your requests for preliminary authorization and other your provided requests /forms in relation to your insurance cover, handling your Claims, and other).
Please also note that any applicable reinsurers and co-insurers of your insurance cover are additional controllers of your Personal Data.
The Insurer, reinsurers and co-insurers are oblidged to process your Personal Data in accordance with all laws applicable thereto.
Contact details of the Controllers
- dhig GmbH is the limited liability legal entity registered in the registry of legal entities of the Republic of Austria (Firmenbuch) under the number FN 515759 w. Its core business is insurance and reinsurance intermediation. Its contact details are as follows:
E-mail: [email protected]
Telephone: +43 1 300 81 81
Contact of the data protection officer: [email protected]
- The Insurer – the identity and contact details, as well as contact details of data protection officer (if appointed) of the Insurer are indicated in your insurance Policy and/or Certificate.
Personal Data that may be processed by the Controller (depending on the Controller’s role in this process and the purposes data is processed for)
- identification information, such as your full name age, date and place of birth, gender, national insurance number, driving license, passport or other identification document, signature, photo, nationality, citizenship, etc.
- your contact details, such as the country of residence, data related to planning on moving out of the country of residence, home country, email address, telephone numbers, etc.
- social security related data (including social security card number and other related data)
- employment related data – occupation / profession (current and previous), employment start and termination date, vacation, pregnancy, as well as other working time and absence from work related data (e.g. in case when you are to be insured by your employer under a group insurance contract)
- membership in an organization (e.g. when an organization arranges your insurance)
- travel related data (e.g. when you are interested in a travel insurance)
- your lifestyle and social circumstances, for example: your interests, such as whether you do sports, your housing status and number of dependents; your marital status; other family details (e.g. it may be relevant in case of medical insurance, depending on the type of the insurance cover)
- your insurance history related information (e.g. exclusions, limitations and other special terms and conditions that were previously applicable in respect of you)
- Personal Data about your family members or any other person included in your insurance (and their relationship to you)
- results of criminal checks relating to prevention of fraud and/or terrorist activities – if mandatory requested by applicable laws
- bank and related financial/taxation data (including copies of bank cards, credit/debit card and bank account details, information obtained as a result of our credit checks)
- details of political and economic sanctions, which would prevent the Insurer from implementing insurance coverage or from Claims payments in certain areas
- information relevant to your insurance Claim or your involvement in the matter giving rise to this Claim
- records of phone calls, video image from the video surveillance systems in the Controller’s buildings (if any);
- Sensitive Personal Data:
- health and medical history, medical condition related Personal Data, such as, for example: data resulting from medical reports or from death certificates; medical and medical claims history; details of physical and psychological health or medical conditions; and etc.
- details concerning sexual life or sexual orientation (for example, marital status)
- details regarding criminal offences (for instance, bankruptcies, previous criminal convictions)
- information about the Insurer’s products and services that you use
- transaction data (e.g. information on Insurance Premium payments)
- your marketing preferences
- other Personal Data as requested by the Insurer and/ or by its reinsurer /co-insurer
- other Personal Data that may be shared with the Controller by you or authorised third parties.
Purposes and legal basis for processing of your Personal Data
- For dhig GmbH
dhig GmbH (in the capacity of the Controller of your Personal Data) may process your Personal Data for the following purposes:
- duly respond to an inquiry / request regarding its distributed insurance product;
- for insurance and reinsurance mediation – this includes all such actions as may be necessary to be performed by it (in its capacity of an insurance / reinsurance intermediary) for arranging execution of your insurance cover, its co-insurance and reinsurance;
- to communicate with you and to resolve any other inquiries / complaints you may have;
- to meet its legal obligations;
- to prevent, detect and investigate fraud;
- to research for statistical purposes.
dhig GmbH (in the capacity of the Controller) processes your Personal Data on the following legal basis:
- to support legitimate interests that dhig GmbH has as a business (except where it is overridden by your interests or fundamental rights and freedoms which require protection of your Personal Data). As a rule, this may include processing of your Personal Data:
- to duly respond to an inquiry / request regarding its distributed insurance product
- to prepare for execution an Insurance Contract in respect of you
- to prepare for execution of a reinsurance contract in respect of your insurance;
- your provided consent (e.g. when processing Sensitive Personal Data) – wherever dhig GmbH processes your Personal Data based on your consent, you are entitled to withdraw such consent at any time. Should you withdraw your consent for processing your Personal Data, dhig GmbH might not be able to execute actions for which such processing is necessary;
- other lawful basis as foreseen by laws, such as: it is necessary to comply with a relevant legal obligation (e.g. where we are obliged to process your Personal Data for tax or accounting purposes); it is necessary for the performance of a contract to which you are a party, or to take steps (at your request) to enter into a contract; it is necessary to protect your vital interests or those of another natural person (e.g. in emergency cases); it is necessary to perform a task in the public interest or to exercise an official authority vested in dhig GmbH.
- For the Insurer
The Insurer may process your Personal Data for the following purposes:
- for execution, performance and administration of your Insurance Contract (e.g. quotation, Underwriting, presenting offers Claims handling, renewal, amendments, etc.);
- to redistribute your insurance related risk by means of reinsurance and co-insurance;
- to provide you with the possibility to use your insurance cover related services via a client internet portal;
- to respond to your requests, complaints, applications or other inquiries;
- to meet any legal obligations or requirements as set by special regulations (e.g. tax, accounting, archiving, risk management, and administrative obligations, etc.);
- to administer debt recoveries;
- for fraud prevention and detection purposes;
- for marketing communication and the purposes of direct marketing (based on your consent, if obligatory by applicable laws);
- for statistical and analytical purposes of the Insurer (e.g. to analyze needs of users of insurance services, to improve quality and level of services offered);
- to protect other legitimate interest of the Insurer (except where it is overridden by your interests or fundamental rights and freedoms which require protection of your Personal Data);
- for other purposes as may be set by the Insurer in compliance with applicable legislation.
The Insurer processes your Personal Data on the following legal basis:
- the Insurer shall process your Personal Data in order to take steps to conclude and/or perform your Insurance Contract, including to handle Claims;
- for performance of a legal obligation and/or grounds provided for in applicable legislation (including providing information to state and regulatory authorities, municipal, judicial and investigative bodies, including external auditors);
- on the grounds of its legitimate interest (except where it is overridden by your interests or fundamental rights and freedoms which require protection of your Personal Data) – e.g. for the purposes of improving the quality of services provided, for preventing insurance fraud, in the implementation of video surveillance, for portfolio analysis and video surveillance, for responding to your requests / inquiries, to arrange reinsurance / co-insurance of your insurance cover etc.;
- your provided consent (e.g. when processing Sensitive Personal Data, when processing Personal Data for direct marketing purposes, etc.) – wherever the Insurer processes your Personal Data based on your consent, you are entitled to withdraw such consent at any time by contacting the Insurer. Should you withdraw your consent for processing your Personal Data, the Insurer might not be able to execute actions for which such processing is necessary;
- the Insurer may also process your Personal Data on other basis as permitted by applicable laws.
Processing of your Sensitive Personal Data
For the purpose of this Notice “Sensitive Personal Data” shall mean Personal Data that can reveal your racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership. It also refers to the processing of data concerning your health, sexual orientation or your sex life.
Your Sensitive Personal Data may be processed for the following purposes:
- in order to assess whether and under what conditions an insurance cover may be provided, prolonged or amended in respect of you, as well as responding to your other related inquiries (e.g. for reviewing and evaluating application for insurance (including Medical Questionnaire) and related documentation, providing quotes, Underwriting);
- for the purpose of arranging, execution, administration and implementation of your insurance cover, its co-insurance and/or re-insurance (this would also include: renewal, prolongation and amendment of your insurance cover, its co-insurance and reinsurance);
- for assessing and handling Claims, as well as providing services that are owed to you under your insurance cover;
- other purposes as permitted by applicable laws.
Your Sensitive Personal Data may be processed:
- if you have given a respective explicit consent;
- processing is necessary to protect your vital interests or the vital interests of another natural person where you are physically or legally incapable of giving consent (e.g. in emergency cases);
- processing relates to Personal Data which are manifestly made public by you;
- processing is necessary for establishment, exercise or defense of legal claims;
- on other lawful basis as permitted by applicable laws.
How long do Controllers process your Personal Data
Duration of processing your Personal Data by the Controller depends on the purpose it was collected for and its nature, as well as on development of your relationship with this particular Controller. The Controller processes your Personal Data for as long as:
- it is necessary for the purpose it is processed for, and
- the Controller is legally obliged to retain Personal Data, and
- Personal Data is necessary for the establishment, exercise or defense of legal claims.
Please note the following:
- When you send dhig GmbH a request (e.g. a request for a quote or a question) and do not afterwards wish to further interact (i.e. you do not wish to further apply for an insurance distributed by dhig GmbH), dhig GmbH will stop processing your Personal Data, unless it believes there is a prospect of litigation relating to your Personal Data or dealings.
- As a rule, the Insurer will retain your Personal Data for 10 (ten) years from the date your insurance cover or product expires, your Claim has been settled or the business relationship ends, unless a longer retention period is required or is permitted by applicable law and necessary from the Insurer’s side.
- The Controller will not retain your Personal Data for longer than necessary and will hold it only for the purposes for which it was obtained.
With whom the Controllers share your Personal Data
The Controllers may share your Personal Data with:
- Entities within their group companies (including their subsidiaries, affiliates and other entities related), who help in providing and administrating their services (e.g. dhig GmbH may share your Personal Data with entities within Daily Health International Group)
- Third parties:
- your family members or other representatives (on behalf of you, where you are incapacitated or unable)
- your named representatives / contact persons (e.g. your lawyer, your insurance broker or other intermediary)
- Policyholder of your insurance cover – when you are insured under a group insurance cover (for instance, by your employer or organization you are a member of)
- their business partners – the Insurer/dhig GmbH, co-insurers, reinsurers, underwriters, medical consultants, other insurance and reinsurance intermediaries, TPA (third party administrators – i.e. entities engaged in handling insurance claims, provision of services covered by insurance contracts), providers of medical and other service (included under your insurance cover), translators, fraud detection agencies, collection companies, lawyers, auditors and accountants, as well as other persons involved in claims handling process
- other service providers retained to perform services on the behalf of the Controller or to otherwise support its activities related to processing of your Personal Data (e.g. IT services providers, archiving and shredding companies, external web service providers, direct marketing agencies, consultancy firms, advertising agencies, external call centers, etc.)
- state and other authorities, to which the Controller is obliged to disclose your Personal Data by applicable laws.
Transfer of Personal Data abroad
Due to different reasons (such as: your requested insurance, specific features of services provided to you, group structure of the Controller, other reasons), some of the recipients of your Personal Data may be located abroad. Your Personal Data will be transferred abroad only on the basis of appropriate and suitable safeguards as requested by applicable laws (if any).
Please note, that in accordance with GDPR the controllers and processors of personal data (that are subject to GDPR) are allowed to transfer personal data outside the European Economic Area (the “EEA”) only subject to appropriate and suitable safeguards as foreseen in GDPR – You have the right to obtain a copy of these safeguards or to be referred to where they are available.
Automated decision-making (including profiling) and profiling
For the purpose of this Notice “profiling” means any form of automated processing of Personal Data (i.e. by electronic means, without human involvement), where Personal Data is used for the assessment of particular aspects related to the natural person with regard to their profession, economic position, health, personal preferences, place of residence, etc.
- For dhig GmbH
- For the Insurer
Your Personal Data may become subject to automated decision-making (including profiling) by the Insurer through information processing systems (e.g. IT applications, software, electronic calculators, etc.), inter alia, for the following purposes:
- to analyze insurance risk (evaluating Insurer’s risk exposure), for identifying potential insurance fraud, for determining a client’s risk for setting Insurance Premium rate – e.g. depending on the specifics of the particular type of insurance, the Insurer may use information systems to calculate the probability of occurrence of the insurance event;
- in order to provide you with personalized marketing offers that may be of interest to you (only subject to your prior consent or based on a legitimate interest of the Insurer), i.e. the Insurer may conduct profiling to evaluate your situation and anticipate your needs, and thereby to prepare the most suitable offer for you.
Your rights in respect of processing of your Personal Data
You have various rights in relation to your Personal Data, including:
- The right to access your personal data – you have the right to obtain a confirmation as to whether or not your Personal Data is processed; and, where that is the case, access to such Personal Data (including receipt of a copy thereof);
- The right to rectification – i.e. the right to request correcting of inaccurate Personal Data, as well as your incomplete Personal Data to be completed;
- The right to erasure – i.e. the right to request erasure of your Personal Data when there are conditions for such erasure as foreseen in applicable laws (e.g. where the purpose for which Personal Data was collected has been achieved; you have withdrawn your consent when the processing is consent-based and there are no other legal grounds for processing; your Personal Data is being processed unlawfully, etc.);
- The right to request restriction of processing of your Personal Data in cases stipulated by applicable laws;
- The right to data portability – i.e. the right to request that your Personal Data is provided in a structured, commonly used and machine-readable format, should your Personal Data be processed by automated means;
- The right to object processing based on legitimate interest or for performing a task in the public interest or to exercise an official authority vested in the Controller;
- The right to object to any decision producing legal effects concerning you or similarly significantly affecting you, if this is based solely on automated decision-making, including automated decisions based on profiling;
- The right to withdraw your consent – where your Personal Data is processed based on your provided consent, you shall always have the right to withdraw it. Should you withdraw your consent, the Controller may no longer be able to execute actions for which such processing is necessary;
- The right to lodge a complaint – if you have a concern or complaint regarding how your Personal Data is processed, please contact the Controller in question in the first instance. Furthermore, if you believe that your Personal Data is processed in breach with applicable laws, you can file a complaint respectively with an authorised data processing supervisory authority of the Controller in breach (dhig GmbH or the Insurer). Please note the following:
- In case when processing of your Personal Data is subject to GDPR and you consider that processing of your Personal Data infringes GDPR – then you have the right to lodge a complaint with a supervisory authority (i.e. an independent public authority responsible for monitoring the application of the GDPR), in particular in the European Economic Area Member State of your habitual residence, place of work or place of the alleged infringement within the European Economic Area.
- Should you have complaints with regards to how dhig GmbH processes your Personal Data as its processor on behalf of the Insurer, you may complain to this Insurer.
- as dhig GmbH is incorporated under the legislation of the Republic of Austria, you also may lodge a complaint to Österreichische Datenschutzbehörde (webpage: https://www.dsb.gv.at/; address: Barichgasse 40-42 ,1030 Vienna, Austria; Telephone: +43 1 52 152-0; E-Mail: [email protected]).